lunedì 21 novembre 2011

In the next days I will write a post to describe the major changes in the Security Guidance but today I'm going to write about CloudSIRT, a project in which I am participating. The big news is that the evaluation of the membership applications will start by the end of November; organizations that will join by February 20th will become Charter Members and will enjoy additional membership benefits.

CloudSIRT (or better, CloudCERT*, the real name of the initiative), as the name suggest, is a project aimed to the development of Incident Response best practices and information sharing within cloud environments. In fact, the mission of this project is to "Enhance the capability of the cloud community to prepare for and respond to vulnerabilities, threats, and incidents in order to preserve trust in cloud computing"... and this is a very ambitious mission.

In the last months, in order to create a framework to achieve the mission, our working group (led by John Howie and Jim Reavis), has stated the following principles:

- foster an open and collaborative environment among members that supports the goal of safe and secure cloud computing;

- seek to fill gaps in knowledge and capabilities specific to cloud computing security, while avoiding duplication of effort and conflict of ownership;

- be a responsible and responsive partner to governments, law enforcement and security organizations;

- strive to build trust with constituent members, third-party security organizations, and cloud community at large so that information will flow freely to CloudSIRT;
- behave professionally and ethically within the membership and with any external contacts.

This project is an official CSA initiative that was conceived of at the same time as the CSA but was formally announced only one year ago. During this year, among other activities, we have been working on a bylaw that regulates the organization, relationships, memberships and activities of CloudSIRT.

First of all, we established that no cost will be requested to join CloudSIRT and eligible members will be limited to qualified organizations in the following categories:

- Cloud Providers;

- Telecommunications providers;

- CERTs, CSIRTs and ISACs (and similar).

However, upon approval of a two-thirds majority of the Board, other organizations will be able to join CloudSIRT.

More specifically, for Cloud Providers we intend organizations owning and managing the infrastructure used to provide service that offer Public, Private or Community clouds (with one or more of IaaS, PaaS or SaaS), maintaining a permanent, dedicated Incident Response team and holding a direct relationship with their customers.

The eligible Telco Providers must have a carrier-class backbone and/or long-haul network connections over which public IP traffic is routed, must have established peering relationships with other telecommunications provider and maintain a permanent, dedicated Incident Response team.

Finally, eligible CERTs CSIRTs and ISACs must be established by statute or regulation, or designated as a national or regional CERT/CSIRT by the national or regional government with jurisdiction or must be recognized by a national or regional CERT/CSIRT as an industry CERT or ISAC.

Within CloudSIRT, the member organizations will share information regarding operational threats such as:

- attacks against infrastructure;

- malicious activity detected;

- evidence of compromise of another member;

- source of attacks, signatures and patterns, account names, etc.

Since these pieces of information are critical and may contain sensitive data (Personal data/PII, financial information, etc.), all members are requested to sign a multi-party NDA that protects the confidentiality of the information. We are also working on agreements, procedures and operational guides to ensure a legal handling and sharing of this data.

CloudSIRT will share information within three communication perimeters:

- among member organizations as part of routine operations;

- with the CSA and its Working Groups to enable further research;

- externally to the public, to governments, and to industry.

Actually, not all the information will be shared in all ways, nor simultaneously so, in order to regulate these flows of information, we decided to use a so called "Traffic Light Protocol" that puts in relation the information and the communication perimeters.

CloudSIRT will publish all public information through its official communication channels (website, twitter account and mailing list) that soon will be set up.

Finally, as all the Cloud Security Alliance initiatives, CloudSIRT has a focus on research and will contribute to CSA WGs, in particular those linked to the Guidance “Domain 9: Incident Response” and “Domain 3: Legal and Electronic Discovery”. Moreover, CloudSIRT will contribute to external research specific to its focus and consistent with its Charter.

In the next days, I will publish other posts regarding Cloud Incident Response and CloudSIRT in particular so, if you are interested in these subjects... stay tuned!

*In the US and other countries, Carnegie-Mellon University owns the right to the name ‘CERT’ so, we have begun the process of licensing CloudCERT with CMU and, at the moment, we have an agreement in principle to use CloudCERT but we are using the name CloudSIRT until we have ratified this formal agreement.